Skip to main content

Imagemagick CVE-2025-53101

| EUVDEUVD-2025-21389 HIGH
Buffer Underwrite ('Buffer Underflow') (CWE-124)
2025-07-14 security-advisories@github.com GHSA-qh3h-j545-h8c9
7.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

5
EUVD ID Assigned
Mar 16, 2026 - 09:43 euvd
EUVD-2025-21389
Analysis Generated
Mar 16, 2026 - 09:43 vuln.today
Patch released
Mar 16, 2026 - 09:43 nvd
Patch available
PoC Detected
Nov 03, 2025 - 19:16 vuln.today
Public exploit code
CVE Published
Jul 14, 2025 - 20:15 nvd
HIGH 7.4

DescriptionGitHub Advisory

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's magick mogrify command, specifying multiple consecutive %d format specifiers in a filename template causes internal pointer arithmetic to generate an address below the beginning of the stack buffer, resulting in a stack overflow through vsnprintf(). Versions 7.1.2-0 and 6.9.13-26 fix the issue.

AnalysisAI

A remote code execution vulnerability in versions (CVSS 7.4). Risk factors: public PoC available. Vendor patch is available.

Technical ContextAI

Vulnerability type: remote code execution. CVSS 7.4 indicates high severity. Affects versions.

RemediationAI

Apply the vendor-supplied patch immediately.

CVE-2017-15277 MEDIUM POC
6.5 Oct 12

ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when proc

CVE-2016-5841 CRITICAL POC
9.8 Dec 13

Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of serv

CVE-2016-3717 MEDIUM POC
5.5 May 05

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files vi

CVE-2016-5118 CRITICAL
9.8 Jun 10

The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbit

CVE-2016-5689 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2016-5690 CRITICAL POC
9.8 Dec 13

The ReadDCMImage function in DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to

CVE-2016-5691 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2017-14138 CRITICAL POC
9.8 Sep 04

ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in cer

CVE-2026-23876 CRITICAL POC
9.8 Jan 20

Heap buffer overflow in ImageMagick's XBM image decoder (ReadXBMImage) lets remote attackers write attacker-controlled d

CVE-2023-34152 CRITICAL POC
9.8 May 30

A vulnerability was found in ImageMagick. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2019-19952 CRITICAL POC
9.8 Dec 24

In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the function MngInfoDiscardObject of coders/png.c, related to R

CVE-2018-14551 CRITICAL POC
9.8 Jul 23

The ReadMATImageV4 function in coders/mat.c in ImageMagick 7.0.8-7 uses an uninitialized variable, leading to memory cor

Vendor StatusVendor

Ubuntu

Priority: Medium
imagemagick
Release Status Version
upstream released 7.1.2-0, 6.9.13-26
bionic released 8:6.9.7.4+dfsg-16ubuntu6.15+esm4
plucky ignored end of life, was needed
focal released 8:6.9.10.23+dfsg-2.1ubuntu11.11+esm2
jammy released 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5+esm2
noble released 8:6.9.12.98+dfsg1-5.2ubuntu0.1~esm1
trusty released 8:6.7.7.10-6ubuntu3.13+esm13
xenial released 8:6.8.9.9-7ubuntu5.16+esm12
questing not-affected 8:7.1.1.43+dfsg1-1ubuntu1

Debian

Bug #1109339
imagemagick
Release Status Fixed Version Urgency
bullseye fixed 8:6.9.11.60+dfsg-1.3+deb11u6 -
bullseye (security) fixed 8:6.9.11.60+dfsg-1.3+deb11u10 -
bookworm fixed 8:6.9.11.60+dfsg-1.6+deb12u4 -
bookworm (security) fixed 8:6.9.11.60+dfsg-1.6+deb12u7 -
trixie fixed 8:7.1.1.43+dfsg1-1+deb13u1 -
trixie (security) fixed 8:7.1.1.43+dfsg1-1+deb13u6 -
forky fixed 8:7.1.2.15+dfsg1-2 -
sid fixed 8:7.1.2.16+dfsg1-1 -
(unstable) fixed 8:7.1.1.47+dfsg1-2 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP6 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP6 Fixed

Share

CVE-2025-53101 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy